[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] retrieving a list or query filter of resourcesthe caller is authorized for
Some thoughts in response to your comments inline.
Yoichi Takayama wrote:
4D2560EC-5EEA-4EA5-B50A-42899BAA2AB9@gmail.com" type="cite">Hi Rich,From my perspective, the query can be regarded as a request for a list of resources. The Obligations that the Policy returns in response may be regarded as: the PEP MUST execute these queries against the resource store in order to return the list that has been requested.
The PDP cannot, in principle, return a list of resources, because it has no direct knowledge of the resources. Furthermore, the resource store may be in a state of constant change as resources are added and removed to the repository. What the PDP has is the PolicySets governing access to the resource repository. It is able to do this because, in general, a repository has language semantics that can be used to define scopes of resources within the repository. When the XACML Request is for the list of resources, it is only the PDP that knows how to generate this list, and at the same time the PDP is unable to generate the list, and therefore, to satisfy this request, can only return the instructions to the PEP for how the PEP can generate the list.
In the model you have suggested that:the PDP determines its response from the Target, Policies, and Attributes, I think the proposed solution is in that category, as what is returned is the set of applicable expressions from the Policies as determined by the Targets. For each applicable PolicySet, if the request is for the resource, then the rule is applied to the resource-id, but if the request is for the "list" of resources, then what is returned is the rule that would have been applied to the resource-id if it had been provided. It is only the PEP or other external entity that can produce the list and it is only the PDP that can provide the command that will produce the list.
4D2560EC-5EEA-4EA5-B50A-42899BAA2AB9@gmail.com" type="cite">I am not sure I agree with the problem statement here. It appears to be saying that in order to provide a response to a query, that response must return a function that is the exact inverse of whatever constructs could conceivably put into a Policy.
To me, that is an academic problem, as opposed to a real world problem. If an enterprise places constraints on the manner in which Policys are allowed to be specified, then I think it is reasonable to be able to produce responses that are within the scope of those constraints.
For example, my suggestion was to define the query for hierarchical resources. For a single hierarchy, the solution is fairly simple if access is only allowed to permitted resources - just return the list of regexps, and the pep can execute the queries and return the collected list.
If the situation involves more complex rules, such as mixing permits and denies, then the returned lists will have to specify whether they are permits or denies, and a combining algorithm, such as permit-overrides or deny-overrides, which then puts responsibility on the PEP to understand how to execute the individual regexps and combine the results.
I have not analyzed this more complex use case, but it seems to me to be manageable for a set of well defined hierarchies, where the rules are all defined in terms of a syntax used for those hierarchies.
Also, I think one must consider that at some point, making the policies too complex actually reduces the effectiveness of the system because it becomes very difficult to understand the rationale for decisions that are made by the system, which represents a loss of control by management over the organization.
4D2560EC-5EEA-4EA5-B50A-42899BAA2AB9@gmail.com" type="cite">One other thought is that the query could conceivably be done in 2 phases: